GDPR: how does it affect patients?

Posted by media on June 7, 2018 at 9:00 AM

GDPR_how_does_it_affect_patients (2)

Under the new General Data Protection Regulation (GDPR), applicable throughout the EU since May 25, patients have new rights that ensure better protection of their data, while increasing the responsibilities and obligations of the organizations that this data.

In this post we look at how the new Regulation seeks to address this sector by empowering citizens with more rights and information.

This post is also available in Spanish.

    Table of contents

     - Conditions for consent

     - What new measures of consent must companies in the health sector take into account?


GDPR: patient protection vs the advancement of research

New technologies offer a host of opportunities to collect, process and share health data in a more efficient way. At the same time, they generate new challenges for privacy and security of the same, hence the restrictions that the EU has established in the new regulation while taking into account the necessary freedoms that this sector needs in order to evolve.

On the one hand, data concerning health has a special mention under the new GDPR considering it sensitive data, because the incorrect disclosure thereof could have a negative impact on the personal and professional life of a patient.

On the other hand, the processing of health data is fundamental for the health services to function properly, for patient security, to advance in research, therefore, being able to use the personal data of patients is sometimes of vital importance.

For these reasons, it is important that both patients and medical organizations, for example laboratories, know patients’ rights in this area and undertake to ensure the privacy in this sector for the common good.



Patient health: sensitive data

Patient health and genetic data are part of a special data category called "sensitive data". This covers all data that, due to the nature thereof, is particularly sensitive with regard to the fundamental rights and freedoms of patients.

Thus, this type of data is subject to stricter conditions when compared with other types of personal data such as for example, contact details.

Processing is prohibited unless it is in accordance with one of the reasons stated in article 9, section 2 in which explicit consent is highlighted: if the patient has explicitly given its unequivocal consent for the use of their data.

Exception to consent

Consent from the person concerned will not be required in the following cases:

  1. The purpose of the treatment is to protect the vital interest of the interested party.
  2. Processing is necessary for medical prevention or diagnosis, the provision of health care or the management of health services, provided that such treatment is carried out by a professional or by another person who is also subject to an obligation of secrecy.
  3. Personal health information will be communicated, including through electronic means, between organizations, centres and services of the National Health System in order to provide health care to the people.
  4. Other cases for reasons of general interest as stipulated by a Law.


Conditions for consent

The new Regulation establishes rules in order to strengthen the rights of citizens with regard to the process of giving consent for the collection, use and exchange of their personal health data.

The regulation explains that consent must be explicit and unambiguous, in other words that it must be given through a clear affirmative action, it must be given freely, and must be an "unequivocal indication of the agreement of a data subject regarding the processing" of their personal data.

It means that the patient carries out a "clear affirmative action” to make it known that they are in agreement with the processing of their data.

Silence or a box already checked are not considered
as consent as stated in Conclusion 32

Furthermore, consent must be specific for each procedure, and must only be used for the purposes established in the consent form.

An example would be the consent forms requested from patients used for clinical trials with regard to the use of their data.

In addition, the data controllers, in other words, the people or entities who collect people’s data, must be able to prove that the person has given their consent. In other words, it is for them to demonstrate it (article 7, paragraph 1).




More rights

The GDPR also introduces other stricter requirements which include:

  • Allowing people to give their consent for different parts of the collection and processing (granular consent).
  • Keeping records to demonstrate which people have given their consent, what was said to them and when and how they gave their consent.
  • Making consent easy to be withdrawn.
  • The "right to be forgotten”, which eliminates personal data when this is requested. (There are exceptions: for reasons of public interest in the area of public health or with scientific or historical research purposes).
  • The right to portability of data for which the subjects of clinical trials have the right to receive their personal data and transfer said data to another organization.
  • Stricter consent requirements for minors or those unable to give consent.
  • Providing certain information to individuals before obtaining their personal data, such as the identity and contact details of the data controller, the contact details of the person responsible for data protection, the objectives and the legal basis for processing, the recipients of the data, how long the data will be retained and the rights of the people under legislation.


     What new measures of consent must companies in the health sector take into account?

When processing confidential personal data, the GDPR obligates an Impact Evaluation on data protection to be carried out, both for processes started before 25 May 2018, and for the data that is in progress since before it entered fully into force.

More info: GDPR: 7 keys to comply with the GDPR in hospitals and clinics


The specific case of research

Although informed consent is a fundamental right, in some cases, exemptions to consent in order to share data are necessary to make the investigation possible, but always under guarantees.

Thus, in the Regulation, there is an option for the exemption of consent for research purposes, and if it is used, researchers must ensure that technical and organizational safeguards are in place when patient data is used (Article 89, paragraph 1).

One of the safeguards mentioned in the Regulation is pseudonymization, which ensures confidentiality through data encryption keys so that it is almost impossible to identify who the data belongs to without the key.

Researchers are also asked to use anonymous data whenever possible, in which it is completely impossible to identify the person based on the data.



The GDPR provides new and clearer rights to citizens and patients, while at the same time taking into account the characteristics of the sector the advance in health research.

The subject of Big Data is becoming more and more important in the area of health. Big Data is without a doubt a clear boost in order to generate innovation in health as it can directly influence patients and studies on medications, for example.

Therefore, it is important that the European legislator, public and private health institutions and patients, through organizations, continue collaborating for the protection and exchange of health data.

At Signaturit, we help to adapt any company's processes in the sector (hospital, clinic, or laboratory) to the new regulation in order to obtain patient consent in an easy, simple way and with all the legal guarantees with our eConsent electronic signature solution.

Get in touch with us at or call us directly on +34 93 551 14 80.

This post is also available in Spanish.

New Call-to-action

Topics: GDPR

Blog Subscription

Recent Posts